bustabit.com -- The Social Gambling Game

[csmcanarney]

Relax, people. Ryan's most likely asleep as even on the East coast it's not even 7:00 yet and yesterday was Thanksgiving, a holiday most people in the US spend eating and drinking with their families. Shouting on the forums isn't going to make him wake up any faster.

I don't see why this would mark the end of MoneyPot, either. The damage that can be caused to the bankroll is limited to what's in the hot wallet.

[feryjhie]

Uh, take a look at this guy's chart. It seems to me that he's cheating. Ryan might want to investigate this.

https://www.moneypot.com/user/foo

I made screenshots of some of his more astonishing wins:

now he is on 25 BTC Profit

[chaoman]

perhaps I should just have more patience, but I deposited 900,000 satoshi from prime dice directly into money pot and it is yet to show up.

[james.lent]

Glad there's still good guys out there, kudos Foo.

[DarKSpectrE]

Foo has provided me with his exploit code:

http://privatepaste.com/164b29a720
http://privatepaste.com/9c14190b93
http://privatepaste.com/f4ebeb9b19


Highly impressive stuff! Hats off to you foo!

Mindblown!

[SpreadBit]

Tried it with 2mBTC, got a profit of 1.34x
nice game.

[james.lent]

Foo has provided me with his exploit code:

http://privatepaste.com/164b29a720
http://privatepaste.com/9c14190b93
http://privatepaste.com/f4ebeb9b19


Highly impressive stuff! Hats off to you foo!

Mindblown!

Alien language to me 

[caga]

Foo has provided me with his exploit code:

http://privatepaste.com/164b29a720
http://privatepaste.com/9c14190b93
http://privatepaste.com/f4ebeb9b19


Highly impressive stuff! Hats off to you foo!

How is the code exploitive? I am new to this like a lot of others too.

[dooglus]

How is the code exploitive? I am new to this like a lot of others too.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

Let me see if I can explain it differently.

As a round progresses, the server sends regular 'tick' messages to the client, saying:

"1.10x and the game didn't crash yet",
"1.20x and the game didn't crash yet",
etc.
and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc.

The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier.

When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly.

The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick.

The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code.

[dooglus]

I'm really impressed by the person who abused this bug. Not only due to the complexity of the exploit, but the fact he only took 5 of the 25 BTC in the hot wallet. He likely could have slowly abused the bug leading the eventual shutdown of MP, but instead was a class act. I'm really thankful for that and working on better security measures so I won't need to rely on the kindness of strangers as much.

He probably still has most of the 1000 BTC he took from primedice... 

[dooglus]

He probably still has most of the 1000 BTC he took from primedice... 

Sounds if this is sort of a suggestion on who it is.  Did you recently learn linear regression?

Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since.

I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both.

[caga]

How is the code exploitive? I am new to this like a lot of others too.

It requires quite an in-depth understanding of moneypot source to understand. But the high level of it is that money pot's game_end event was leaking information (or more precisely the lack of money pot's game_end event) which could be abused by taking advantage of dynamically moving the autocashout amounts (something that is now disabled).

Because it was so timing sensitive, the code had to be rather complex taking into consideration network latency to decide how and when to act.

Let me see if I can explain it differently.

As a round progresses, the server sends regular 'tick' messages to the client, saying:

"1.10x and the game didn't crash yet",
"1.20x and the game didn't crash yet",
etc.
and the client fills in the gaps in between, making the number count up smoothly, animating the chart, etc.

The exploit code would set the auto-cashout at 1.11x, and wait for a short time. Just before the "1.20x and ..." message was due, it would update its auto-cashout to 1.21x, and so on. It was changing the auto-cashout just before each 'tick' was due, changing the auto-cashout to just after the next tick's multiplier.

When the game eventually crashed (at 1.27x, say), the server would check the auto-cashout, see that foo had his set to 1.21x, and pay him accordingly.

The problem is that the server only checks for auto-cashout points at each tick. If you have one set at 1.11x, it doesn't get paid out until the next tick (because there is really nothing between the ticks - the steady payout multiplier increase is an illusion presented by the client), at 1.20x. So you could move it up to 1.21x just before that tick.

The fix is to prevent players from changing their auto-cashout point. That's not a problem because the feature was never published anyway. You would never have even known there was the possibility of changing your auto-cashout point mid game unless you had read the source code.

Thanks for the explanation. That sounds like a really clever method, and only an extremely smart coder, would be able to pull it off.
Sometime, when such smart people take your money , it doesn't feel bad

[Magic Of Nigeria]

Moneypot is by far my favorite game to play when I have some extra bitcoins lying around. It's never a boring time at MoneyPot!

[Testing123]

He probably still has most of the 1000 BTC he took from primedice... 

Sounds if this is sort of a suggestion on who it is.  Did you recently learn linear regression?

Lol, no. I used to play with it on my old Casino programmable calculator in school, but not since.

I figure that there have been two clever attacks on Bitcoin gambling sites very recently, and figure it's not all that unlikely that the same person is behind them both.

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

[dooglus]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

[BayAreaCoins]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

Which is sort of funny cause I believe PD had a big winner before the "hack".

Someone told me IRL "Did you hear about that big winner on PD?!"

[blockage]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

Which is sort of funny cause I believe PD had a big winner before the "hack".

Someone told me IRL "Did you hear about that big winner on PD?!"

Is that about hufflepuff? Was it a confirmed hack or just Stunna being butthurt searching for explanations? Do you have a link to the topic, so that I don't have to go through tons of spam in the PD thread?

[calci]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

[FirestarterX]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

[BayAreaCoins]

Wasn't the attacker on PD only able to withdraw 40 btc before his misbehavior was noticed and all his other withdrawals were blocked?

On the account where he was obvious about it, sure.

I wonder if he had other accounts that he used before that, where he won a bunch in a less obvious way?

The way that guy acted out , making straight flat bets at 50% and winning like 100 times, was probably his way to reveal the bug or show that he had hacked the system. I don't think, someone who could have found the flaw would make such bets. He probably hit PD before that Big time.

Why are we talking about PD on the MoneyPot thread?

Speculating there is a chance that is is the same dude.  Both pretty bright attacks n such.